From 1572c22de1e53a8448527a1a7e8dc2d857df780c Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 26 Feb 2020 18:29:13 -0500 Subject: [PATCH] remove zygote access to apk_data_file GrapheneOS doesn't use out-of-band updates for base system apps (with a few exceptions) or APEX, so the zygote should never require this access. GrapheneOS also uses exec-based app spawning so it doesn't benefit from preloading in the standard code path. --- prebuilts/api/29.0/private/app_zygote.te | 5 ----- prebuilts/api/29.0/private/webview_zygote.te | 5 ----- private/app_zygote.te | 5 ----- private/webview_zygote.te | 5 ----- 4 files changed, 20 deletions(-) diff --git a/prebuilts/api/29.0/private/app_zygote.te b/prebuilts/api/29.0/private/app_zygote.te index aa1c104b03..34ee5db15a 100644 --- a/prebuilts/api/29.0/private/app_zygote.te +++ b/prebuilts/api/29.0/private/app_zygote.te @@ -55,11 +55,6 @@ allow app_zygote zygote:process sigchld; r_dir_file(app_zygote, dalvikcache_data_file); allow app_zygote dalvikcache_data_file:file execute; -# Allow reading/executing installed binaries to enable preloading -# application data -allow app_zygote apk_data_file:dir r_dir_perms; -allow app_zygote apk_data_file:file { r_file_perms execute }; - # Allow app_zygote access to /vendor/overlay r_dir_file(app_zygote, vendor_overlay_file) diff --git a/prebuilts/api/29.0/private/webview_zygote.te b/prebuilts/api/29.0/private/webview_zygote.te index ebf19053c5..78eea2e542 100644 --- a/prebuilts/api/29.0/private/webview_zygote.te +++ b/prebuilts/api/29.0/private/webview_zygote.te @@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject; # a domain macro. tmpfs_domain(webview_zygote); -# Allow reading/executing installed binaries to enable preloading the -# installed WebView implementation. -allow webview_zygote apk_data_file:dir r_dir_perms; -allow webview_zygote apk_data_file:file { r_file_perms execute }; - # Access to the WebView relro file. allow webview_zygote shared_relro_file:dir search; allow webview_zygote shared_relro_file:file r_file_perms; diff --git a/private/app_zygote.te b/private/app_zygote.te index aa1c104b03..34ee5db15a 100644 --- a/private/app_zygote.te +++ b/private/app_zygote.te @@ -55,11 +55,6 @@ allow app_zygote zygote:process sigchld; r_dir_file(app_zygote, dalvikcache_data_file); allow app_zygote dalvikcache_data_file:file execute; -# Allow reading/executing installed binaries to enable preloading -# application data -allow app_zygote apk_data_file:dir r_dir_perms; -allow app_zygote apk_data_file:file { r_file_perms execute }; - # Allow app_zygote access to /vendor/overlay r_dir_file(app_zygote, vendor_overlay_file) diff --git a/private/webview_zygote.te b/private/webview_zygote.te index ebf19053c5..78eea2e542 100644 --- a/private/webview_zygote.te +++ b/private/webview_zygote.te @@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject; # a domain macro. tmpfs_domain(webview_zygote); -# Allow reading/executing installed binaries to enable preloading the -# installed WebView implementation. -allow webview_zygote apk_data_file:dir r_dir_perms; -allow webview_zygote apk_data_file:file { r_file_perms execute }; - # Access to the WebView relro file. allow webview_zygote shared_relro_file:dir search; allow webview_zygote shared_relro_file:file r_file_perms;